REST APIs do not employ as strict security measures as SOAP APIs, and therefore should not be used to send or retrieve sensitive information. However, good REST APIs still implement safety measures for secure and reliable data transfers.
Authentication and authorization : All requests to the API should be authenticated and authorized. Authentication is the process of verifying the identity of the client, and authorization is confirming that the client has permission to access the requested resources.
Validation : After authentication and authorization, requests still need to be scanned for potentially malicious code before the API gives access to its resources. Otherwise, a server will be vulnerable to an injection attack.
Encryption : TLS/SSL encryption secures the connection between client and server and prevents attackers from intercepting requests and responses.
Rate-limiting : Rate-limiting methods like quotas and throttling prevent brute-force attacks like DDoS that attempt to slow or crash the server.
No sensitive information in URIs: Protected information (e.g., username, password, or authentication token) should not be visible in the URI of a resource.
